ICICI Bank is committed to protecting the privacy of individuals (customers, employees) whose personal data it holds, and processing such personal data in a way that is consistent with applicable laws. We believe that the data privacy framework should be in line with the evolving regulatory changes and digital transformation.
As the Bank has a global presence, it is committed to ensuring compliance with applicable laws across these jurisdictions. It has an integrated and centralised strategy for achieving data privacy compliance across all jurisdictions. A set of principles have been defined with respect to handling customer data. There is a mechanism in place, which is accessible to all employees in the Bank, for reporting any form of personal data incident. A Personal Data Incident Handling Forum (PDIHF) has been constituted which comprises the Data Protection Officer (DPO) and senior members from the Information Security Group, Operational Risk Management Group, Fraud Management Group, Human Resources, Compliance and Legal teams. Any kind of personal data related incidents reported through the service request undergoes detailed investigation and a report is presented to PDIHF on a monthly basis.
An external review of the privacy maturity assessment was conducted in fiscal 2023, which placed the Bank’s data privacy practices to be above industry benchmarks.
As per the Personal Data Protection Standard of the Bank, it ensures that all personal data it processes is kept secured using appropriate technical and organisational measures including necessary policies, processes and controls. It includes physical access control, encryption or pseudonymisation, stress testing, risk assessment, data protection impact assessment and providing training to the Bank's employees. The Bank periodically updates the Personal Data Protection Standard to cover the personal data protection regulatory requirements as applicable to the Bank in India and its overseas offices to reflect the changes in data protection laws and regulations.
Privacy regulations require the personal data of customers to be protected throughout its entire lifecycle. Accordingly, the Bank has undertaken several comprehensive measures such as categorising all personal data and sensitive personal data as ‘Confidential Information’, keeping record of all its processing activities, entering into non-disclosure and confidentiality agreements with employees and third parties who are privy to personal data of the customers and providing customers the option to exercise various rights which they enjoy under applicable data protection regulations and incident handling procedures.
With increasing digitisation, ensuring effective management and governance of data has become a critical business enabler.
To further strengthen data quality, data standardisation and governance around data, a Chief Data Officer (CDO) was appointed in fiscal 2023.
The role of the CDO includes creating the governance and processes around data generation and processing and compliance with regulations across all aspects of its operations. The CDO is also responsible for implementation of the Bank's Data Governance Policy.
There are e-learning modules specifically on the concept of personal data and its protection to build awareness among employees. Periodic trainings are provided to employees and various data privacy awareness initiatives are taken up by the Data Privacy team to help get an overview of data privacy and its importance in day-to-day work. Periodic e-mailers are also sent to the employees to create awareness about data privacy norms and practices.
The Bank has established a strong governance framework for data privacy management. The Bank’s Data Protection Officer (DPO) oversees all privacy-related developments for the Bank as a data processor for international banking business and as a data controller for NRI and remittance businesses. The Bank has designated data protection managers/representatives from each business function and at every overseas location to ensure the proper implementation of the privacy standard.
A Privacy Steering Committee meets every six months, and oversees various privacy-related initiatives. Further, the Bank’s Code of Business Conduct and Ethics covers guidelines on customer privacy and confidentiality of data.